MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Techsnab


Vendor detections: 10


Intelligence 10 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
SHA3-384 hash: babbb9002ff80a75b0951185dafe23c0991862bbae14aad0049bb189a1e0d452e43e842cfaca822e22a755dd2a1085cd
SHA1 hash: 022f9e5963c311f56aff9198be654389528e0f65
MD5 hash: 87838fd2006e3b2dce09e04aaaa3b185
humanhash: gee-lamp-nevada-table
File name:022f9e5963c311f56aff9198be654389528e0f65.exe
Download: download sample
Signature Adware.Techsnab
Create hunting rule
File size:5'147'784 bytes
First seen:2026-02-04 07:44:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0857b7f29b53f204b1e02bbf09cdedd (1 x Adware.Techsnab)
ssdeep 49152:2uFXw82QxmV8Gza4DS3fMChhi3uJaPgd1ZoYwBP56A36NkBg1Zys0UkOkS6mSXCu:2uFXg8GzaKoXhhiA975ZyhR
Threatray 1 similar samples on MalwareBazaar
TLSH T10D363931B645C072D19B1B3E1EA6F3AA943B7911AF93C3C335804B5E09316E9BD39297
TrID 42.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
31.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.EXE) Win64 Executable (generic) (10522/11/4)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Anonymous
Tags:Adware.Techsnab exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Win_Driver_SSL_support_v43.22.209.44.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 00:42:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87a208fe-eda4-496c-97c7-f48b18d28a72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51617/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698295dc9a60ec70d92c9838
Tags:
vmdetect
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 datper expand expired-cert fingerprint installer installer installer-heuristic invalid-signature lolbin microsoft_visual_cc nsis packed short-lived-cert signed
Link:
https://www.filescan.io/uploads/6982f914930564ff3c88e4de/reports/295b4501-48fb-4b40-b525-8d5492c1d13f/overview
Verdict:
Malicious
Labled as:
Trojan.GenHeur
Link:
https://www.hybrid-analysis.com/sample/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
Result
Gathering data
Verdict:
Clean
File Type:
exe x32
Link:
https://opentip.kaspersky.com/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c71c5ac4-7b03-4423-82ca-c03220f5ef7b
Score:
40%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
Verdict:
inconclusive
YARA:
8 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/87838fd2006e3b2dce09e04aaaa3b185
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06/
Verdict:
Malicious
Threat:
Family.SECTOPRAT
Link:
https://tip.neiki.dev/file/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvuqs722nzzzorhjtq3hhzzjzr37po4ij23yww54tyrdiriqx4da._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
Adware.Techsnab
error
Adware.Techsnab
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260204-jlkptshy7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Malware Config
Dropper Extraction:
http://194.150.220.218/4SLEYpfAk57hGubo/sapodilla
http://194.150.220.218/4SLEYpfAk57hGubo/froelichia
http://194.150.220.218/4SLEYpfAk57hGubo/malacca
Unpacked files
SH256 hash:
9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06
MD5 hash:
87838fd2006e3b2dce09e04aaaa3b185
SHA1 hash:
022f9e5963c311f56aff9198be654389528e0f65
Link:
https://www.unpac.me/results/9d3c788e-85c9-41f7-8a11-843cea8cd1c9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d69097f5a6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_VmTools
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Techsnab

Executable exe 9d69097f5a6e739744e99c3673e729cc77f7bb884eb78b5bbc9e22344510bf06

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/51617/
  
URLhaus
https://urlhaus.abuse.ch/url/3765010/
  
Delivery method
Distributed via web download

Comments